How to monitor traffic at Cisco router using Linux (Netflow)

By default Cisco IOS doesn’t provide any traffic monitoring tools like iftop or iptraff available in Linux. While there are lots of proprietary solutions for this purpose including Cisco Netflow Collection, you are free to choose nfdump and nfsen open source software to monitor traffic of one or many Cisco routers and get detailed monitoring data through your Linux command line or as graphs at absolutely no cost.

Below is beginner’s guide that helps to quickly deploy netflow collector and visualizer under Linux and impress everybody by cute and descriptive graphs like these:

It is highly recommended to look through Netflow basics to get brief understanding of how it works before configuring anything. For example, here is Cisco’s document that gives complete information about Netflow. In a few words to get started you should enable netflow exporting on Cisco router and point it to netflow collector running under Linux. Exported data will contain complete information about all packets the router has received/sent so nfdump and nfsen working under Linux will collect it and visualize to present you the graph like above example.

Cisco Router Setup

1. Enable flow export on ALL Cisco router’s interfaces that send and receive some traffic, here is an example:

It requires web server with php module and RRD so make sure you have the corresponding packages installed. I hope you’re running httpd with php already so below are rrd/perl related packages installation hints only.

In order to continue you should edit file etc/nfsen.conf to specify where to install nfsen, web server’s username, its document root directory etc. That file is commented so there shouldn’t be serious problems with it.

One of the major sections of nfsen.conf is ‘Netflow sources’, it should contain exactly the same port number(s) you’ve configured Cisco with — recall ‘ip flow-export …’ line where we’ve specified port 23456. E.g.

In case of success you’ll see corresponding notification after which you will have to start nfsen daemon to get the ball rolling:

/path/to/nfsen/bin/nfsen start

From this point nfdump started collecting netflow data exported by Cisco router and nfsen is hardly working to visualize it — just open web browser and go to http://linux_web_server/nfsen/nfsen.php to make sure. If you see empty graphs just wait for a while to let nfsen to collect enough data to visualize it.

invaluable information A little bit in a hurry, did not get to read everything but will definitely come back later to finish everything. I think the second paragraph pretty much says everything.. for several years

Definitely believe that which you stated. Your favorite reason appeared to be on the net the simplest thing to be aware of. I say to you, I definitely get annoyed while people consider worries that they plainly do not know about. You managed to hit the nail upon the top and also defined out the whole thing without having side-effects , people could take a signal. Will probably be back to get more. Thanks

neat blog theme! what place? anyway, I have already been hanging out right here for some time now and ultimately I have the courage to leave a comment. most of your write-up is utterly fascinating well, i decided to share it on facebook.

Thanks for a very informative web site. What else may I get that type of info written in such a perfect manner? I've a mission that I'm simply now working on, and I've been at the look out for such info.

Artem is systems engineer for more than 7 years and holds broad experience in Linux, Unix, Cisco systems administration. Feel free to get in touch with Artem Nosulchik via Google Plus, Twitter or Facebook.

Most Read This Week

LinuxScrew Recommends

Who’s behind LinuxScew?

My name is Artem Nosulchik, I'm part time blogger and full-time Linux sysadmin. In 2007 I started LinuxScrew to share my personal notes on anything related to Linux and Open Source on the whole and found this pretty interesting.